Hybrid HTTP and DNS Beacon

The Hybrid HTTP and DNS Beacon payload is a favorite Cobalt Strike feature. This payload uses DNS requests to
beacon back to you. These DNS requests are lookups against domains that your Cobalt Strike team server is
authoritative for. The DNS response tells Beacon to go to sleep or to connect to you to download tasks. The
DNS response will also tell the Beacon how to download tasks from your team server.

DNS Beacon in Action

Originally, this payload would download all of its tasks via an HTTP GET connection. The purpose of the DNS
beaconing was to minimize the payload's need to connect directly to you. Over time, it became obvious that
there were situations where it would be nice to download tasks over DNS as well.

Data Channels

Today, the Hybrid HTTP and DNS Beacon can download tasks over HTTP, DNS A records, DNS AAAA
records, or DNS TXT records. Better, this payload has the flexibility to change between these data
channels while its on target. Use Beacon's mode command to change the current Beacon's data
channel. mode http is the HTTP data channel. mode dns is the DNS A record data channel.
mode dns6 is the DNS AAAA record channel. And, mode dns-txt is the DNS TXT record data
channel.

The HTTP data channel uses HTTP POST requests to send information back to you. The DNS data
channels embed data destined for your team server into a long hostname. The maximum length of this
hostname is set by the Malleable C2 maxdns option. The DNS TXT channel will use 100% of this value.
The DNS AAAA channel will use 50% of this value. The DNS A channel will use 25% of this value.

Be aware that DNS Beacon does not check in until there's a task available. Use the checkin command to request
that the DNS Beacon check in next time it calls home.

Listener Setup

The windows/beacon_dns/reverse_http payload stages over an HTTP connection. When you create this listener, be
aware that you’re configuring the host and port Cobalt Strike will use to stage this payload over HTTP. Cobalt
Strike knows to stand up a DNS server on port 53 when you choose to setup this payload.

The windows/beacon_dns/reverse_dns_txt payload uses DNS TXT records to download and stage the Hybrid HTTP and
DNS Beacon. When you create this listener, be aware that you're configuring which port this payload will use
for HTTP communication. Again, Cobalt Strike knows to stand up a DNS server on port 53.

If you setup the Hybrid HTTP and DNS Beacon payload with the HTTP stager, be aware that you can still request
the DNS TXT record stager too. Many Cobalt Strike features will let you specify the listener name (DNS) to
force the use of the DNS TXT record stager.

DNS Beaconing Domains

Once you create a listener and press Save, Cobalt Strike will ask you to provide a list of domains to beacon
to. Your Cobalt Strike team server system must be authoritative for the domains you specify. Create a DNS A
record and point it to your Cobalt Strike team server. Use DNS NS records to delegate several domains or
sub-domains to your Cobalt Strike team server's A record.

Listener Configuration

To test your DNS configuration, open a terminal and type nslookup jibberish.beacon.domain. If
you get an A record reply of 0.0.0.0—then your DNS is correctly setup. If you do not get a reply, then your
DNS configuration is not correct and the Hybrid HTTP and DNS Beacon will not communicate with you.

If you are behind a NAT device, make sure that you use your public IP address for the NS record and set your
firewall to forward UDP traffic on port 53 to your system. Cobalt Strike includes a DNS server to control
Beacon.